Analysis
-
max time kernel
120s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/07/2024, 04:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
63d04110afa327a9b2774f7d9da32b70N.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
120 seconds
Behavioral task
behavioral2
Sample
63d04110afa327a9b2774f7d9da32b70N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
63d04110afa327a9b2774f7d9da32b70N.exe
-
Size
84KB
-
MD5
63d04110afa327a9b2774f7d9da32b70
-
SHA1
3eb88cd8ab0effdf210091eb9365d71db62291aa
-
SHA256
9ac941fb3f7db442ed6d9bdce8928c9c168590ad1b7795c8356cddf616047dc3
-
SHA512
6acc105ccaec61094c2a9d7830ceb973b78cd9926d028f6094cbeba8b53ace9655d8d63ec39430d4aa1d95b1bd72169e8a12cd60c31f089037cf8b806d5f5bec
-
SSDEEP
1536:Ak4ocjTAbK1GagAaC8lyg/JHdR8PB8ANZLvfPDyH6n8dEelLYR7xeGSmUmmmmmmA:xcnABagAapyg/J9R8Pd3PDyH6n8djlLQ
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgjman32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkhpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haafepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjcfjoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onejjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggdmkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfhghgie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlnbmikh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikafpbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhpfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdnmda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opaeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cccgni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmdmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penlon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmlief32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkncmhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpgha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjplj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnahoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccdmmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkgjge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egbaelej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olokighn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfqii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdkajic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaffja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kchhholk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Febmfcjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdophn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmlajm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2952 Cafbmdbh.exe 2848 Dahobdpe.exe 2896 Dnlolhoo.exe 2960 Difplf32.exe 1264 Dihmae32.exe 2708 Dbqajk32.exe 2612 Dlifcqfl.exe 2400 Ehpgha32.exe 3028 Eecgafkj.exe 2924 Eolljk32.exe 1544 Ekblplgo.exe 2276 Ehgmiq32.exe 2124 Edmnnakm.exe 1228 Epdncb32.exe 2208 Fdbgia32.exe 2224 Flmlmc32.exe 2288 Fefpfi32.exe 236 Falakjag.exe 1520 Flbehbqm.exe 1076 Fejjah32.exe 1116 Gkgbioee.exe 908 Gdpfbd32.exe 1812 Gkiooocb.exe 920 Ghmohcbl.exe 868 Gklkdn32.exe 2584 Gjahfkfg.exe 1580 Gopnca32.exe 2864 Hjfbaj32.exe 2868 Hmdnme32.exe 2660 Hoegoqng.exe 2648 Hdapggln.exe 2264 Hbepplkh.exe 2496 Hgbhibio.exe 2052 Hqkmahpp.exe 3012 Iggbdb32.exe 2836 Inajql32.exe 564 Iekbmfdc.exe 1608 Ijhkembk.exe 1060 Ibeloo32.exe 1448 Imkqmh32.exe 1652 Iceiibef.exe 800 Jiaaaicm.exe 2516 Jnafop32.exe 1476 Jekoljgo.exe 1172 Jbooen32.exe 1164 Jmhpfl32.exe 3048 Jdbhcfjd.exe 1956 Jjlqpp32.exe 1720 Jafilj32.exe 2840 Kfcadq32.exe 3044 Kmmiaknb.exe 2764 Kdgane32.exe 2800 Kfenjq32.exe 2680 Kblooa32.exe 2704 Lccepqdo.exe 2452 Lllihf32.exe 2072 Lgejidgn.exe 2948 Laknfmgd.exe 2912 Lghgocek.exe 2308 Lamkllea.exe 1892 Lkepdbkb.exe 2284 Lpbhmiji.exe 2520 Mglpjc32.exe 924 Mpeebhhf.exe -
Loads dropped DLL 64 IoCs
pid Process 560 63d04110afa327a9b2774f7d9da32b70N.exe 560 63d04110afa327a9b2774f7d9da32b70N.exe 2952 Cafbmdbh.exe 2952 Cafbmdbh.exe 2848 Dahobdpe.exe 2848 Dahobdpe.exe 2896 Dnlolhoo.exe 2896 Dnlolhoo.exe 2960 Difplf32.exe 2960 Difplf32.exe 1264 Dihmae32.exe 1264 Dihmae32.exe 2708 Dbqajk32.exe 2708 Dbqajk32.exe 2612 Dlifcqfl.exe 2612 Dlifcqfl.exe 2400 Ehpgha32.exe 2400 Ehpgha32.exe 3028 Eecgafkj.exe 3028 Eecgafkj.exe 2924 Eolljk32.exe 2924 Eolljk32.exe 1544 Ekblplgo.exe 1544 Ekblplgo.exe 2276 Ehgmiq32.exe 2276 Ehgmiq32.exe 2124 Edmnnakm.exe 2124 Edmnnakm.exe 1228 Epdncb32.exe 1228 Epdncb32.exe 2208 Fdbgia32.exe 2208 Fdbgia32.exe 2224 Flmlmc32.exe 2224 Flmlmc32.exe 2288 Fefpfi32.exe 2288 Fefpfi32.exe 236 Falakjag.exe 236 Falakjag.exe 1520 Flbehbqm.exe 1520 Flbehbqm.exe 1076 Fejjah32.exe 1076 Fejjah32.exe 1116 Gkgbioee.exe 1116 Gkgbioee.exe 908 Gdpfbd32.exe 908 Gdpfbd32.exe 1812 Gkiooocb.exe 1812 Gkiooocb.exe 920 Ghmohcbl.exe 920 Ghmohcbl.exe 868 Gklkdn32.exe 868 Gklkdn32.exe 2504 Gcimop32.exe 2504 Gcimop32.exe 1580 Gopnca32.exe 1580 Gopnca32.exe 2864 Hjfbaj32.exe 2864 Hjfbaj32.exe 2868 Hmdnme32.exe 2868 Hmdnme32.exe 2660 Hoegoqng.exe 2660 Hoegoqng.exe 2648 Hdapggln.exe 2648 Hdapggln.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bhgaan32.exe Bgfdjfkh.exe File opened for modification C:\Windows\SysWOW64\Ngkfnp32.exe Njgeel32.exe File created C:\Windows\SysWOW64\Omhjejai.exe Onejjm32.exe File created C:\Windows\SysWOW64\Qcmkoiee.dll Dmdkkm32.exe File created C:\Windows\SysWOW64\Bjnbiqik.dll Gepeep32.exe File created C:\Windows\SysWOW64\Eained32.exe Edenlp32.exe File created C:\Windows\SysWOW64\Kbkiab32.dll Lnipilbb.exe File created C:\Windows\SysWOW64\Phpkjoim.exe Process not Found File created C:\Windows\SysWOW64\Mqecodji.dll Process not Found File created C:\Windows\SysWOW64\Liacqlhg.dll Kfcadq32.exe File created C:\Windows\SysWOW64\Knlekjqk.dll Difplf32.exe File opened for modification C:\Windows\SysWOW64\Kblooa32.exe Kfenjq32.exe File opened for modification C:\Windows\SysWOW64\Gdophn32.exe Gkfkoi32.exe File created C:\Windows\SysWOW64\Fkonlh32.dll Jjqlbdog.exe File opened for modification C:\Windows\SysWOW64\Mbiokdam.exe Mpjboi32.exe File opened for modification C:\Windows\SysWOW64\Nmgiga32.exe Neldbo32.exe File created C:\Windows\SysWOW64\Okmceiii.exe Oofbph32.exe File opened for modification C:\Windows\SysWOW64\Fdcahdib.exe Fogipnjj.exe File created C:\Windows\SysWOW64\Ejmljg32.exe Eccdmmpk.exe File created C:\Windows\SysWOW64\Kgcpgl32.exe Kjopnh32.exe File opened for modification C:\Windows\SysWOW64\Amfeodoh.exe Abaaakob.exe File opened for modification C:\Windows\SysWOW64\Meakbjaj.exe Mnhbep32.exe File created C:\Windows\SysWOW64\Pfqimeai.dll Process not Found File created C:\Windows\SysWOW64\Emfhbdbc.dll Iiablido.exe File created C:\Windows\SysWOW64\Amjmpk32.exe Aqcmkjje.exe File opened for modification C:\Windows\SysWOW64\Djmpmppn.exe Process not Found File created C:\Windows\SysWOW64\Gpncdfkl.exe Process not Found File created C:\Windows\SysWOW64\Fagfaekh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Obnkpafp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pjeppb32.exe Process not Found File created C:\Windows\SysWOW64\Febmfcjj.exe Fljhmmci.exe File opened for modification C:\Windows\SysWOW64\Gdgoll32.exe Gaibpa32.exe File created C:\Windows\SysWOW64\Ohmllf32.exe Oabdol32.exe File created C:\Windows\SysWOW64\Hdneohbk.exe Process not Found File created C:\Windows\SysWOW64\Echoca32.exe Process not Found File created C:\Windows\SysWOW64\Qcaejknk.dll Nnkqih32.exe File opened for modification C:\Windows\SysWOW64\Nhpcmi32.exe Nogodcli.exe File created C:\Windows\SysWOW64\Caohfl32.exe Cfidhcbm.exe File opened for modification C:\Windows\SysWOW64\Pdpepejb.exe Process not Found File created C:\Windows\SysWOW64\Chlool32.dll Process not Found File created C:\Windows\SysWOW64\Nffenj32.exe Ngcebnen.exe File created C:\Windows\SysWOW64\Nakcfhia.dll Cceenilo.exe File opened for modification C:\Windows\SysWOW64\Lhaqld32.exe Lbghpjih.exe File created C:\Windows\SysWOW64\Nljikmpj.dll Jcodcp32.exe File opened for modification C:\Windows\SysWOW64\Onejjm32.exe Oqajqi32.exe File created C:\Windows\SysWOW64\Oqmijp32.dll Jodmdboj.exe File opened for modification C:\Windows\SysWOW64\Emeahc32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ibeloo32.exe Ijhkembk.exe File opened for modification C:\Windows\SysWOW64\Bakgmgpe.exe Ajqoqm32.exe File opened for modification C:\Windows\SysWOW64\Dlgjie32.exe Dbaflm32.exe File opened for modification C:\Windows\SysWOW64\Cjkcedgp.exe Cofohkgi.exe File created C:\Windows\SysWOW64\Eijpnkaj.dll Lgcooh32.exe File created C:\Windows\SysWOW64\Dgmfmoge.dll Egpdom32.exe File opened for modification C:\Windows\SysWOW64\Fdldmokn.exe Eghcckld.exe File created C:\Windows\SysWOW64\Fojkij32.dll Miciqgqn.exe File created C:\Windows\SysWOW64\Nadbabeo.dll Process not Found File created C:\Windows\SysWOW64\Ikeomn32.exe Process not Found File created C:\Windows\SysWOW64\Mofeco32.dll Lccepqdo.exe File created C:\Windows\SysWOW64\Eagdgaoe.exe Ejmljg32.exe File created C:\Windows\SysWOW64\Anbohn32.exe Ahhgkdfo.exe File opened for modification C:\Windows\SysWOW64\Bqbbpghe.exe Process not Found File created C:\Windows\SysWOW64\Oaocoklg.dll Process not Found File created C:\Windows\SysWOW64\Eqdbapoa.exe Process not Found File created C:\Windows\SysWOW64\Jbfmkg32.exe Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhplfp32.dll" Gijncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aioapp32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmbldke.dll" Lllihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phckglbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqfeda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlifcqfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjphff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efdohq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obhdpaqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobaok32.dll" Edenlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllndljk.dll" Ngoinfao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmkgajnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbpbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bggohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmnhojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjka32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlpfmk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmnmahk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdaedhoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhoeqide.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fidjig32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Febmfcjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleoojhm.dll" Hpqoofhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagfaekh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghfnq32.dll" Ofmknifp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibngfe32.dll" Dbaflm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcebnen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cialng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqeeabhm.dll" Gfjicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmcjlgi.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdimeom.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkqpfmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knhoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhignd32.dll" Obbpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpfhp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekqpj32.dll" Ehpgha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbghpjih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgndfeek.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgcflmnb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcocnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdencdk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 560 wrote to memory of 2952 560 63d04110afa327a9b2774f7d9da32b70N.exe 29 PID 560 wrote to memory of 2952 560 63d04110afa327a9b2774f7d9da32b70N.exe 29 PID 560 wrote to memory of 2952 560 63d04110afa327a9b2774f7d9da32b70N.exe 29 PID 560 wrote to memory of 2952 560 63d04110afa327a9b2774f7d9da32b70N.exe 29 PID 2952 wrote to memory of 2848 2952 Cafbmdbh.exe 30 PID 2952 wrote to memory of 2848 2952 Cafbmdbh.exe 30 PID 2952 wrote to memory of 2848 2952 Cafbmdbh.exe 30 PID 2952 wrote to memory of 2848 2952 Cafbmdbh.exe 30 PID 2848 wrote to memory of 2896 2848 Dahobdpe.exe 31 PID 2848 wrote to memory of 2896 2848 Dahobdpe.exe 31 PID 2848 wrote to memory of 2896 2848 Dahobdpe.exe 31 PID 2848 wrote to memory of 2896 2848 Dahobdpe.exe 31 PID 2896 wrote to memory of 2960 2896 Dnlolhoo.exe 32 PID 2896 wrote to memory of 2960 2896 Dnlolhoo.exe 32 PID 2896 wrote to memory of 2960 2896 Dnlolhoo.exe 32 PID 2896 wrote to memory of 2960 2896 Dnlolhoo.exe 32 PID 2960 wrote to memory of 1264 2960 Difplf32.exe 33 PID 2960 wrote to memory of 1264 2960 Difplf32.exe 33 PID 2960 wrote to memory of 1264 2960 Difplf32.exe 33 PID 2960 wrote to memory of 1264 2960 Difplf32.exe 33 PID 1264 wrote to memory of 2708 1264 Dihmae32.exe 34 PID 1264 wrote to memory of 2708 1264 Dihmae32.exe 34 PID 1264 wrote to memory of 2708 1264 Dihmae32.exe 34 PID 1264 wrote to memory of 2708 1264 Dihmae32.exe 34 PID 2708 wrote to memory of 2612 2708 Dbqajk32.exe 35 PID 2708 wrote to memory of 2612 2708 Dbqajk32.exe 35 PID 2708 wrote to memory of 2612 2708 Dbqajk32.exe 35 PID 2708 wrote to memory of 2612 2708 Dbqajk32.exe 35 PID 2612 wrote to memory of 2400 2612 Dlifcqfl.exe 36 PID 2612 wrote to memory of 2400 2612 Dlifcqfl.exe 36 PID 2612 wrote to memory of 2400 2612 Dlifcqfl.exe 36 PID 2612 wrote to memory of 2400 2612 Dlifcqfl.exe 36 PID 2400 wrote to memory of 3028 2400 Ehpgha32.exe 37 PID 2400 wrote to memory of 3028 2400 Ehpgha32.exe 37 PID 2400 wrote to memory of 3028 2400 Ehpgha32.exe 37 PID 2400 wrote to memory of 3028 2400 Ehpgha32.exe 37 PID 3028 wrote to memory of 2924 3028 Eecgafkj.exe 38 PID 3028 wrote to memory of 2924 3028 Eecgafkj.exe 38 PID 3028 wrote to memory of 2924 3028 Eecgafkj.exe 38 PID 3028 wrote to memory of 2924 3028 Eecgafkj.exe 38 PID 2924 wrote to memory of 1544 2924 Eolljk32.exe 39 PID 2924 wrote to memory of 1544 2924 Eolljk32.exe 39 PID 2924 wrote to memory of 1544 2924 Eolljk32.exe 39 PID 2924 wrote to memory of 1544 2924 Eolljk32.exe 39 PID 1544 wrote to memory of 2276 1544 Ekblplgo.exe 40 PID 1544 wrote to memory of 2276 1544 Ekblplgo.exe 40 PID 1544 wrote to memory of 2276 1544 Ekblplgo.exe 40 PID 1544 wrote to memory of 2276 1544 Ekblplgo.exe 40 PID 2276 wrote to memory of 2124 2276 Ehgmiq32.exe 41 PID 2276 wrote to memory of 2124 2276 Ehgmiq32.exe 41 PID 2276 wrote to memory of 2124 2276 Ehgmiq32.exe 41 PID 2276 wrote to memory of 2124 2276 Ehgmiq32.exe 41 PID 2124 wrote to memory of 1228 2124 Edmnnakm.exe 42 PID 2124 wrote to memory of 1228 2124 Edmnnakm.exe 42 PID 2124 wrote to memory of 1228 2124 Edmnnakm.exe 42 PID 2124 wrote to memory of 1228 2124 Edmnnakm.exe 42 PID 1228 wrote to memory of 2208 1228 Epdncb32.exe 43 PID 1228 wrote to memory of 2208 1228 Epdncb32.exe 43 PID 1228 wrote to memory of 2208 1228 Epdncb32.exe 43 PID 1228 wrote to memory of 2208 1228 Epdncb32.exe 43 PID 2208 wrote to memory of 2224 2208 Fdbgia32.exe 44 PID 2208 wrote to memory of 2224 2208 Fdbgia32.exe 44 PID 2208 wrote to memory of 2224 2208 Fdbgia32.exe 44 PID 2208 wrote to memory of 2224 2208 Fdbgia32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\63d04110afa327a9b2774f7d9da32b70N.exe"C:\Users\Admin\AppData\Local\Temp\63d04110afa327a9b2774f7d9da32b70N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Cafbmdbh.exeC:\Windows\system32\Cafbmdbh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Dnlolhoo.exeC:\Windows\system32\Dnlolhoo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Difplf32.exeC:\Windows\system32\Difplf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Dihmae32.exeC:\Windows\system32\Dihmae32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Dbqajk32.exeC:\Windows\system32\Dbqajk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Dlifcqfl.exeC:\Windows\system32\Dlifcqfl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ekblplgo.exeC:\Windows\system32\Ekblplgo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Ehgmiq32.exeC:\Windows\system32\Ehgmiq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Fdbgia32.exeC:\Windows\system32\Fdbgia32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Flmlmc32.exeC:\Windows\system32\Flmlmc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Fefpfi32.exeC:\Windows\system32\Fefpfi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Fejjah32.exeC:\Windows\system32\Fejjah32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Gkgbioee.exeC:\Windows\system32\Gkgbioee.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Gkiooocb.exeC:\Windows\system32\Gkiooocb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Gjahfkfg.exeC:\Windows\system32\Gjahfkfg.exe27⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Gcimop32.exeC:\Windows\system32\Gcimop32.exe28⤵
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Gopnca32.exeC:\Windows\system32\Gopnca32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Hmdnme32.exeC:\Windows\system32\Hmdnme32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Hoegoqng.exeC:\Windows\system32\Hoegoqng.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe34⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Hgbhibio.exeC:\Windows\system32\Hgbhibio.exe35⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Hqkmahpp.exeC:\Windows\system32\Hqkmahpp.exe36⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Iggbdb32.exeC:\Windows\system32\Iggbdb32.exe37⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Inajql32.exeC:\Windows\system32\Inajql32.exe38⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Iekbmfdc.exeC:\Windows\system32\Iekbmfdc.exe39⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Ibeloo32.exeC:\Windows\system32\Ibeloo32.exe41⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe42⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Iceiibef.exeC:\Windows\system32\Iceiibef.exe43⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Jiaaaicm.exeC:\Windows\system32\Jiaaaicm.exe44⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Jekoljgo.exeC:\Windows\system32\Jekoljgo.exe46⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Jbooen32.exeC:\Windows\system32\Jbooen32.exe47⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Jmhpfl32.exeC:\Windows\system32\Jmhpfl32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Jdbhcfjd.exeC:\Windows\system32\Jdbhcfjd.exe49⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Jjlqpp32.exeC:\Windows\system32\Jjlqpp32.exe50⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe51⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Kfcadq32.exeC:\Windows\system32\Kfcadq32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Kmmiaknb.exeC:\Windows\system32\Kmmiaknb.exe53⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Kdgane32.exeC:\Windows\system32\Kdgane32.exe54⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Kfenjq32.exeC:\Windows\system32\Kfenjq32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe56⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Lccepqdo.exeC:\Windows\system32\Lccepqdo.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Lllihf32.exeC:\Windows\system32\Lllihf32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Lgejidgn.exeC:\Windows\system32\Lgejidgn.exe59⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Laknfmgd.exeC:\Windows\system32\Laknfmgd.exe60⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Lghgocek.exeC:\Windows\system32\Lghgocek.exe61⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Lamkllea.exeC:\Windows\system32\Lamkllea.exe62⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Lkepdbkb.exeC:\Windows\system32\Lkepdbkb.exe63⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Lpbhmiji.exeC:\Windows\system32\Lpbhmiji.exe64⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Mglpjc32.exeC:\Windows\system32\Mglpjc32.exe65⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Mpeebhhf.exeC:\Windows\system32\Mpeebhhf.exe66⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Mjmiknng.exeC:\Windows\system32\Mjmiknng.exe67⤵PID:1656
-
C:\Windows\SysWOW64\Mcendc32.exeC:\Windows\system32\Mcendc32.exe68⤵PID:2968
-
C:\Windows\SysWOW64\Mlnbmikh.exeC:\Windows\system32\Mlnbmikh.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe70⤵PID:3004
-
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe71⤵PID:2364
-
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe72⤵PID:2016
-
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe73⤵PID:2856
-
C:\Windows\SysWOW64\Nqdaal32.exeC:\Windows\system32\Nqdaal32.exe74⤵PID:2108
-
C:\Windows\SysWOW64\Ngoinfao.exeC:\Windows\system32\Ngoinfao.exe75⤵
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe76⤵PID:1344
-
C:\Windows\SysWOW64\Njobpa32.exeC:\Windows\system32\Njobpa32.exe77⤵PID:2956
-
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe78⤵PID:3024
-
C:\Windows\SysWOW64\Ngcbie32.exeC:\Windows\system32\Ngcbie32.exe79⤵PID:1712
-
C:\Windows\SysWOW64\Nmpkal32.exeC:\Windows\system32\Nmpkal32.exe80⤵PID:2336
-
C:\Windows\SysWOW64\Ncjcnfcn.exeC:\Windows\system32\Ncjcnfcn.exe81⤵PID:736
-
C:\Windows\SysWOW64\Ombhgljn.exeC:\Windows\system32\Ombhgljn.exe82⤵PID:2232
-
C:\Windows\SysWOW64\Oclpdf32.exeC:\Windows\system32\Oclpdf32.exe83⤵PID:1156
-
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe84⤵PID:3032
-
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe85⤵PID:1004
-
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe86⤵PID:2776
-
C:\Windows\SysWOW64\Oafjfokk.exeC:\Windows\system32\Oafjfokk.exe87⤵PID:1728
-
C:\Windows\SysWOW64\Ollncgjq.exeC:\Windows\system32\Ollncgjq.exe88⤵PID:832
-
C:\Windows\SysWOW64\Oaiglnih.exeC:\Windows\system32\Oaiglnih.exe89⤵PID:1624
-
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Ompgqonl.exeC:\Windows\system32\Ompgqonl.exe91⤵PID:2992
-
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe92⤵PID:2348
-
C:\Windows\SysWOW64\Pmbdfolj.exeC:\Windows\system32\Pmbdfolj.exe93⤵PID:1604
-
C:\Windows\SysWOW64\Phhhchlp.exeC:\Windows\system32\Phhhchlp.exe94⤵PID:1804
-
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe95⤵PID:2272
-
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe96⤵PID:1072
-
C:\Windows\SysWOW64\Pmgnan32.exeC:\Windows\system32\Pmgnan32.exe97⤵PID:1784
-
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe98⤵PID:320
-
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe99⤵PID:1968
-
C:\Windows\SysWOW64\Pfaopc32.exeC:\Windows\system32\Pfaopc32.exe100⤵PID:2268
-
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe101⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe102⤵PID:612
-
C:\Windows\SysWOW64\Qkcdigpa.exeC:\Windows\system32\Qkcdigpa.exe103⤵PID:2696
-
C:\Windows\SysWOW64\Qeihfp32.exeC:\Windows\system32\Qeihfp32.exe104⤵PID:1920
-
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe105⤵PID:880
-
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe106⤵PID:2984
-
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe107⤵PID:2040
-
C:\Windows\SysWOW64\Adqbml32.exeC:\Windows\system32\Adqbml32.exe108⤵PID:2220
-
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe109⤵PID:1996
-
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe110⤵PID:1348
-
C:\Windows\SysWOW64\Adcobk32.exeC:\Windows\system32\Adcobk32.exe111⤵PID:2340
-
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe112⤵PID:2140
-
C:\Windows\SysWOW64\Alncgn32.exeC:\Windows\system32\Alncgn32.exe113⤵PID:1592
-
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe114⤵PID:2652
-
C:\Windows\SysWOW64\Annpaq32.exeC:\Windows\system32\Annpaq32.exe115⤵PID:2572
-
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe116⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe117⤵PID:1576
-
C:\Windows\SysWOW64\Bjgmka32.exeC:\Windows\system32\Bjgmka32.exe118⤵PID:876
-
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe119⤵PID:1936
-
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe120⤵PID:1760
-
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe121⤵PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-